Name: Cisco ASR 1004
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Page 35 of 72

4.6.2 IPsec Transforms and Lifetimes

Regardless of the IKE version selected, the TOE must be configured with the proper transform

for IPsec ESP encryption and integrity as well as IPsec lifetimes.

TOE-common-criteria(config)# crypto ipsec transform-set example esp-aes 128 esp-

sha-hmac

Note that this configures IPsec ESP to use HMAC-SHA-1 and AES-CBC-128. To

change this to the other allowed algorithms the following options can replace

‘esp-aes 128’ in the command above:

Encryption Algorithm

Command

AES-CBC-256

esp-aes 256

AES-GCM-128

esp-gcm 128

AES-GCM-256

esp-gcm 256

Note: The size of the key selected here must be less than or equal to the key size

selected for the IKE encryption setting in 4.6.1.1 and 4.6.1.2 above. If AES-

CBC-128 was selected there for use with IKE encryption, then only AES-CBC-

128 or AES-GCM-128 may be selected here.

TOE-common-criteria(config-crypto)#mode tunnel

This configures tunnel mode for IPsec. Tunnel is the default, but by explicitly

specifying tunnel mode, the router will request tunnel mode and will accept only

tunnel mode.

TOE-common-criteria(config-crypto)#mode transport

This configures transport mode for IPsec.

TOE-common-criteria (config)#crypto ipsec security-association lifetime seconds

28800

The default time value for Phase 2 SAs is 1 hour. There is no configuration

required for this setting since the default is acceptable, however to change the

setting to 8 hours as claimed in the Security Target the crypto ipsec security-

association lifetime command can be used as specified above.

TOE-common-criteria (config)#crypto ipsec security-association lifetime kilobytes

100000

This configures a lifetime of 100 MB of traffic for Phase 2 SAs. The default

amount for this setting is 2560KB, which is the minimum configurable value for

this command. The maximum configurable value for this command is 4GB.

Additional information regarding configuration of IPsec can be found in [10]. The IPSEC

commands are dispersed within the Security Command References.

• This functionality is available to the Privileged Administrator. Configuration of VPN

settings is restricted to the privileged administrator.

Other manuals for Cisco ASR 1004

Replacing120 pages

Hardware Installation Guide702 pages

Quick Start Guide38 pages

Overview And Installation38 pages

Install Guide32 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASR 1004 and is the answer not in the manual?

Cisco ASR 1004 Specifications

General

Product Type	Router
Form Factor	Rack-mountable
Rack Height	2U
Forwarding Capacity	Up to 20 Gbps
Total Number of Ports	Varies by configuration
Number of Total Expansion Slots	4
Product Series	ASR 1000
Model	ASR 1004
Forwarding Performance	Up to 20 Gbps
Operating System	Cisco IOS XE
Power Supply	Dual
Route Processor	ASR 1000 Series Route Processor
Network Interface Modules	SFP, SFP+, Gigabit Ethernet, 10 Gigabit Ethernet
Interfaces/Ports	Varies by configuration
Expansion Slot Type	SPA
Throughput	20 Gbps
Redundancy	Power supply, Route Processor
Interfaces	Gigabit Ethernet, 10 Gigabit Ethernet, SFP, SFP+
Storage	Up to 64 GB Flash